windowsnerd.com

notes from an admin for himself. you can read it if you want.

Entries Comments


Custom Search






Dell Vostro 1400 blue screens on windows update after clean install

9 May, 2009 (02:18) | Hardware Info, How to, OS | 1 comment

Just reinstalled Vista Ultimate off the Dell disc. Fresh happy clean install, then let it update and KABOOOM! Blue screen. The problem is in the Intel chipset/matrix drivers. The easiest way to fix it is:

Go in the BIOS

Disable Flash cache

Switch from AHCI to ATA disk mode

save and reboot

This will unbluescreeen, allow you to update all of your patches, then go grab all the latest drivers and firmware from Dell Support. 

Linux does this too on certain machines/chipsets. Man it is a pain when they switch interfaces, the OS guys take years to recover.

Hahhahaaha, I mean, oh sucks for VA

5 May, 2009 (06:48) | antivirus/spyware, security | No comments

Well Virginia went and lost their prescription drug data.  8.2million people worth of records are being held ransom by some idiot who I’m guessing is young, American and maybe drunk. 

Here is the link to wikileaks who broke the story.

Maybe this will be the new tax needed to make companies/govt agencies provide resources to protect data.

Securing HIPAA data on a laptop

4 May, 2009 (18:22) | prediction, security | No comments

I’m tired of looking for resources that define how to properly secure Hipaa data on a laptop. HIPAA Title II is vague and seems to indicate that you need to secure patient data with good current industry standards. What are those standards? It reminds me of FERPA. I’m going to define “best effort according industry standards” today for you. Here is what you need to know about what level of protection you are adding to your notebook and if it is “good.”

 

Operating system password only: BAD


If you depend on the Windows password to protect patient data, you belong in jail or in a place where they levy fines against you daily. You are lazy, ignorant or an evil penny pinching jerk. Enough said. No computers for you!

BIOS Password: NOT ACCEPTABLE


Honestly not much better than an OS password as far as time needed to exploit, bios passwords are easily defeated by many tools. They are bundled in to many boot cds anyone can download from the internet. I’ll leave these tools without a name because any idiot can use these and I’m not giving the lazy ones a head start.

Hard Disk Password: Getting started


Vendor information tells you that your hard disk’s password is safe even if the data is taken to another computer. This is not so. There are software tools that can brute force or wipe the chip containing the password. You can buy replacement security chips for certain hard drives. Tools to exploit a hard disk password located on the hard drive are a little more rare that say a multimeter. So obscurity is beginning. This is a good starting point, but here are few ways around it to prove how easy it is:

Call YEC. Ask about purchasing a Shinobi unit for $1190. You can use this to kill the password on most drives. Anyone could buy this for their garage, sell a legit password reset service on craigslist and make the cost back in a week. Then just start trading drives on ebay and dig for gold. For $100-$300, YEC will do the crack for you if you call them. A person who knows they have aquired a laptop with sensitive data doesn’t have to own anything or have experience hacking/cracking, they can just mail it in.  One could also remove the platters of the drive and install them in a nonprotected drive for around $500-$1000 using a data recovery service.  A few hundred dollars is more than enough to build a “clean box” to move the platters without a clean room and have a very good chance of imaging the drive without damage. 

Hard Disk passwords can be enhanced by using something like a Shinobi to install a better MD5 protected password. This adds some complexity and shows any court that you are making a heck of an effort to protect data. For $1000 it is really cheap if you use it to protect 100 hard drives, and also use it to wipe your disks before disposal. 

As a proof of concept I just ran a few tools against a sata 160GB drive, brute force took 2.5 hours on a single word, 1 digit password. Easy peasy. 

Whole Disk Encryption: Decent-Good


Implementation is the key here. Whole disk encryption is breakable using information in RAM. Google cold boot attacks. Adding a token like from Pointsec doesn’t gain you anything against ths same type of attack on RAM. This holds true for Truecrypt, Bitlocker, apples encryption, pgp, most of them. To use whole disk encryption to protect HIPAA data you need to:

Disable sleep, hibernate, any low power settting other than ON or OFF.

Set the laptop to shut off if the lid is closed.

Don’t use TPM without a pin or usb key in combination with TPM

If whole disk encryption is combined with a hard disk password, you get a great combination for security. Your users will hate you for having 2 passwords which need to be different in order for the effort to be worthwhile. 

New Hard Disk – On disk encryptionopal standard: Good


Far from perfect, the new standards implemented by storage industry manufacturers and computer vendors are more complex, but fairly safe. The Opal standard is the Trusted Computing Initiative plan to solve laptop/desktop storage security issues.  My personal experience with the Dell/Wave/TPM module is negative so far. The software is buggy and bloated, I’ve had to reset the encryption a few times on a few machines and this has made the experience for the user horrible.  As of 4/15/2009, the Dell/Wave/Embassy suite for an XT tablet is an 198MB download! The fingerprint reader should at least work for a 200MB installer. Not something I will be implementing company wide any time soon. I don’t want ALL the employees to hate me. 

As time goes on this technology will get better, but the clock is ticking until someone releases a crack for it too. I’m not sure why but vendors always seem to be in a state of denial about the number of people activly working against their new “unbreakable” technology. Right now I rank the opal standard as great by means of “security through obscurity.” It is new enough not to have a giant target on it’s head. For now I’d say it is your best bet. As market share increases and more computers use this technology, it will be broken in to and you should have a back up plan in place.

 

Windowsnerd recommendation: Wholedisk + HDkey

 

Older computers/small business- Truecrypt + your HD vendors key. Not perfect by any means but it sure is a good effort and it is free  + $manpower. Will someone in a hurry to do a cold boot attack know they need to crack your HD password first? Yes. Will they do it while your laptop still has power? Maybe not. If anyone ever tries to prosecute you for losing HIPAA data on a laptop with both of these in place, I’m sure they will lose. I would not recommend spending thousands of dollars on a whole disk product until you have a company with a whole lot of machines. When installing Truecrypt, use Twofish+serpent+AES. Adds a big A for effort, slows you down 10% or so. If the performance is important, buy faster hard disks. If performance is really important buy SSDs. Security is with regulated data is more important than speed. You can make that part of your employment policy. 

New computers/large business – pointsec/newer disk key. I still like Pointsec over PGP only because of the active directory tools and key management. I recommend Pointsec and a password on every hard drive. If you get new computers, buy a drive advertised to have encryption capabilities and use that as well. Read up on the OPAL standard, manufacturers are just getting started with releasing some good drives compliant with OPAL. 

Oh and dont forget- backups become UBERimportant. When these encrypted drives/operating systems smoke, they go down in big flames. If you can’t get past that first password you can’t use any recovery tools. 

 

Lesson to be learned over and over:


HIPAA reminds me a lot of FERPA. Universities lose FERPA data all the time.  They know that bad press is the worst that will happen to them. With the number of records being lost every year creeping into the thousands of incidents, they know the bite from the press is becoming painless. Nobody notices, it happens all the time. When your information is lost, xUniversity sends you a letter telling you to file a police report, a freeze on your credit and  leaves the mess to you. I have many of these letters. I know the admins who weren’t given money to protect the FERPA data. They weren’t given the money because the worst that would happen is that xU sends some letters and fires the admin who asked for money to protect the data in the first place.  If there were fines against the institution in the millions of dollars, data would be protected.  Don’t universities have history, ethics or computer science classes? Ah but the accounting and economics classes are more important than ethics and history at todays degree mills. The worker bees at the big Us don’t want to listen to the academics anyhow.

To date I beleive we are still at 2 prosecutions in the US for misuse of HIPAA data. The fact remains that bad press is all that will likely come of losing HIPAA data. See above for ramifications. Did I mention HIPAA is a 1996 thing and the year right now is 2009? 2 prosecutions?

So the lesson I keep learning and repeating – the solution to protect data. The only solution that works is to have government regulations with real teeth. The day we assign jail time, personal fines and prosecute offenders will be the day our data becomes  safer. Right now everyone looks at the least they can do to satisfy the rules. Or how much the fine is vs the cost to implement safegaurds. If the fine is steeper, the demand for good security goes up, and industry produces better security more often. 

If you are a consumer- suck it up and pay to have your credit monitored. Your personal data WILL be stolen and it will not be your fault. If you decide to be insured or monitor your credit, you are taking some good advice from someone who watches admins lose data all the time.

Mac vs win-PC article on PCworld nails some good points

28 April, 2009 (18:35) | mac, Mindless Blather, prediction | No comments

Priceless-

http://www.pcworld.com/article/163836/eight_reasons_your_next_computer_should_be_a_pc.html

There are many many other reasons the cycle won’t be broken. Macs are cool, just not going to dominate.

Home users tend to buy what they have at work. Mac refuses to support old OS and software choices. Too many businesses get stuck in a rut where they run an old Windows OS because of an old application. Can’t do that on a mac. They want a low renewal and replacement age.

This can be seen in so many ways. Hardware that breaks a lot. Not ever easy to maintain. Even the G5 tower had impossible to remove processors despite their incredibly high failure rate. Wasn’t the G5 tower supposed to be all easy to swap things in and out of? pshaw. Macs are created to be as disposable as possible. Cracking all the imacs open has always sucked. The CRT monitors were always having huge issues. The mac air overheats. Just check the apple forums. Same problems, same chinese innards, different sticker. 

Mac is a closed system. Which is why it works well. It should as it is written/built by Apple(still amazing considering the amount of code for any OS.) They are getting close to the thin line between monopoly and cool small competitor. A closed system can’t survive with a large market share because law suits will force them to stop being a monopoly. No more scuttling mac clone vendors, software has to be supported longer, programs from 3rd parties cause kernel panics. Viruses and spyware runs rampant on OS’s that have too many 3rd party applications not conrolled by the MAC. Not a pc I want to own. I like the low market share closed system macs I own now. They don’t crash too often, have more patches than raggedy ann, but look good and keep clickin. Security through obscurity rocks. 

Mac can’t possibly keep the insane stock price can they? I hate when a stock is overvalued because it is trendy to own vs performing. Here are today’s numbers to compare-

 

todays numbers

top 2 rows are today, dividends are bunk from me looking on google quick.

yeah dividends are hard to predict right now, but go google it yourself. still more than 0 for the last 3. I don’t have any stock at $100 a share that doesn’t pay. 

Overall my psychic prediction is this- Mac can not have a large market share and still be Mac. If they get big, you will see malware, crashes, clones, and windows running on mac hardware. OR you will still see rabid mac fans supporting a small company that popularizes cool tech. Notice I didn’t say innovates, creates, invents.

Ad blocking

28 April, 2009 (17:42) | antivirus/spyware, security | No comments

Firefox ad blocker – Adblock plus – easy install. Works well.

Google Chrome ad blocker -Adsweep.org – follow the instructions, it will only take a minute or two to copy and paste what you need.

IE – download and run IE8, turn on the “in private” browsing thinger.

For all 3 – download and install the hosts file from MVPS.org. This maintains a list of bad guys and prevents your computer from having any traffic going there. Make a calendar appointment to update this every few months or so.

Antivirus boot cds

27 April, 2009 (10:41) | antivirus/spyware | No comments

Antivirus boot cds are the easiest way to clean a virus. Download an .iso, burn it to a cd with a tool like iso recorder which is free thanks to Alex Feinman, the brilliant author. The magic of an antivirus boot cd comes from booting off a device other than your hard drive. If a virus is on your hard drive, it has the ability to hide itself when the hard drive boots. When you boot into a cd, it doesn’t care, doesn’t load or look at any of the code the virus has injected. It just boots to itself then lets you look at the hard drive as it really is, then clean it up. 

So burn one of the discs below, put it in your optical drive. Do a cold reboot, start it up, if it doesn’t start booting to the cd you need to figure out how to tell your computer to boot to cd. A lot of times f8, f10 or f12 will bring up a boot menu and let you choose what device boots first. Sometimes you will have to get in to your bios and find the boot order, usually that is delete or f2. This will take some experimenting or googleing based on your on computer model. Can’t help everyone in a sentence here. 

 

Here is a list of places to get antivirus boot cds:

AVIRA – Avira boot cd- seems good on sata, super lightweight. Look for the flag on the lower left corner to choose english if you speak that. Good detection rate. configure options to rename infected files BEFORE you run it. 

BITDEFENDER- bitdefender rescue cd – not that great at new sata controllers, but a really good knoppix linux OS to run out of.  This one is pretty, autoruns, is easy to use. There is a rootkit scanner called ChkRootKit, you should run that after your AV scan completes. You can also configure your network using this one, and get the latest updates off the web using the shortcut “update signatures” on the desktop. 

KASPERSKY- Kaspersky bood cd – this is my favorite because of it’s success rate. This one usually is all I need to clean boot sector, rootkits, whatever. Then go back with something else to fix other problems. Sysinternals ERD commander, hiren, ubcd etc. 

UBCD- (mcafee, fprot)- Download the iso from securitywonks, don’t trust a torrent. Read up either on the securitywonks or UBCD4win webpage for the latest in how their tools work for you. Multiple av scanners. good stuff. Should have everything you need to fix a computer. Password reset, system restore, disk error checking etc.

quick check for when your user rebooted last

17 April, 2009 (09:22) | How to | No comments

net statistics workstation

Works great when you don’t want to trust the words out of your users mouth. Just look at the date and time it last started. not 100% accurate all the time, but I think the fastest check i know right now.

why it is hard to stay motivated to post stuff here

17 April, 2009 (08:28) | Mindless Blather | No comments

.xlsx and .docx are being saved as a zip file in explorer?

17 April, 2009 (06:51) | How to | 42 comments

#1 fix – stop using Internet explorer. Use Google Chrome

#2 fix – stop using IE and use Opera

#3 fix – stop using IE and  Use firefox

I strongly suggest you expand your horizons if you haven’t use a browser other than IE. You need to be able to troubleshoot problems to see if they are browsers based or not. So use at least 2 browsers at all times.

MS support is USELESS. We did 3 support calls over the span of a few months. Each time a bunch of guys in India were remote controlling the machine. Each time they failed to fix and diagnose the problem.

Here is what we know so far about the problem and workarounds:

This problem is with office 2007 files being downloaded in IE. Mine specifically is downloading an xlsx doc from gmail. It changes the name from file.xlsx to file_xlsx.zip or filexlsx.zip depending on the profile used. If you save the file, unzip and open it is the document. It opens directly from firefox and chrome doing the same.

It is a problem on IE7 and IE8

Machine is running vista, not in a domain

It is not a problem with 7zip or winzip in most cases.

This is a really weird one- your symptom is that when you click on an attachment or try to save a .docx or .xlsx from internet explorer, it saves as filename.docx.zip or filename.xlsx.zip. When you save the file, it is saved incorrectly and will not open. You can’t unzip and open, it shows a bunch of jibberish. When the open/save option comes up, you can see the filename.docx has been changed to docx.zip.

The problem does not occur in firefox or chrome on a broken machine.This problem seems to have 3 distinct causes.

A. Apache Mime types on the server are set incorrectly – basically this is a manual on the server that your browser uses. So if the server says I’m serving pancakes, sausage and OJ, Your client is getting a menu that says 1 thing. Cheeseburgers. Everything looks like a cheeseburger and is downloaded as a cheeseburger.AKA zip file. I have set up an apache server and successfully broken and fixed this problem. No self respecting admin should have this broken. If this is a server at your work, demand to yank the nerd card from the admin. They are playing games with you and trying to force you to another browser, or the are incompetent.

B. I confirmed on several machines in my office this is a problem caused by winzip 12.0. Normally I have users install 7zip becuase it is a nicer, free open source version of winzip. Apparently winzip is hijacking part of internet explorer when it installs. To fix this problem send yourself an email that has a .docx and one that has a .xlsx. Verify that internet explorer is saving as a zip..

Verify that you can NOT open the zip file and extract a .docx etc (if you can extract the office doc inside, this one isn’t your problem, move on)

then:

1. Uninstall winzip

2. reboot, test your emailed test files.

3. If that didn’t fix it, open internet explorer

4. Go to tools>options, click on the security tab, select “internet” , hit custom settings

5. Way down the list look for “Open files based on content, not exception” write down what it is set on, now flip it to the opposite and reboot.

6. DONE! Should be done anyways. That fixed it for me on 4 machines, 2 vista business and 2 vista home premium. Let me know if you have any success. Also I suggest 7zip for your replacement tool.

C. This problem happens in Google Mail!! They insist their mime types are correct. I need feedback on this page if you are having the same problem so that the next time I call I can point to the number of users having the problem. I’ve put many full days into this stupid issue now. Throw me a bone with some data points.

Leave me a comment if this fixes or fails to fix yours. Good luck!

http://www.mozilla.com/firefox/

1066 DDR2 runs at 800MHz out of the box

25 February, 2009 (06:26) | Mindless Blather | No comments

I have a friend complaining about ram that is rated to run at 1066 out of the box on a motherboard that supports 1066 out of the box running at only 800 when put together. You have to manually set the timing in the bios.

I’m not sure if I’m on the manufacturers side or not. I think the only people running out buying 1066 ram that I know are people who understand heat management inside a case. If my grandma had some put in, her computer might cook because it is buried under so much stuff. Who knows if geek squad or some shop out there might put better ram in peoples computers so they can charge more. Then normal user cooks their MB. Any thoughts?

« Older entries

 Newer entries »